fbpx
 
Home / News, Videos & Publications / News / Homeland & Cyber Security /

Hackers Can Make It Impossible to Dial 911

Hackers Can Make It Impossible to Dial 911

January 5, 2017

Homeland & Cyber Security

By
Mordechai Guri
Head of Research and Development, BGU Cyber Security Research Center
Yisroel Mirsky
Research Project Manager, BGU Cyber Security Research Center
Prof. Yuval Elovici
Director, BGU Cyber Security Research Center

SFGate — It’s not often that any one of us needs to dial 911, but we know how important it is for it to work when one needs it. It is critical that 911 services always be available – both for the practicality of responding to emergencies, and to give people peace of mind.

Prof. Yuval Elovici

Prof. Yuval Elovici

But a new type of attack has emerged that can knock out 911 access. Our research explains how these attacks occur as a result of the system’s vulnerabilities. We show these attacks can create extremely serious repercussions for public safety.

In recent years, people have become more aware of a type of cyberattack called “denial-of-service,” in which websites are flooded with traffic – often generated by many computers hijacked by a hacker and acting in concert with each other. This happens all the time, and has affected traffic, financial institutions, entertainment companies, government agencies, and even key internet routing services.

A similar attack is possible on 911 call centers. In October, what appears to be the first such attack launched from a smartphone happened in Arizona. An 18-year-old hacker was arrested on charges that he conducted a telephone denial-of-service attack on a local 911 service. If we are to prevent this from happening in more places, we need to understand how 911 systems work, and where the weaknesses lie, both in technology and policy.

Computer networks have capacity limits. They can handle only so much traffic, so many connections, at one time. If they get overloaded, new connections can’t get through. The same thing happens with phone lines, which are mostly computer network connections anyway.

mordechai-guri

Mordechai Guri

So if an attacker can manage to tie up all the available connections with malicious traffic, no legitimate information – such as regular people browsing a website, or calling 911 in a real emergency – can make it through.

To better understand how denial-of-service attacks could affect 911 call systems, we created a detailed computer simulation of North Carolina’s 911 infrastructure, and a general simulation of the entire U.S. emergency call system.

After we set up our simulation, we attacked it to find out how vulnerable it is. We found that it was possible to significantly reduce the availability of 911 service with only 6,000 infected mobile phones – just 0.0006 percent of the state’s population.

Nationally, a similar percentage, representing just 200,000 hijacked smartphones, would have a similar effect. But this is, in a certain sense, an optimistic finding.

Trey Forgety, the director of government affairs for the National Emergency Number Association, responded to our findings in The Washington Post, saying, “We actually believe that the vulnerability is in fact worse than [the researchers] have calculated.”

yisroel-mirsky-cropped

Yisroel Mirsky

The countermeasures that exist, or are possible, today are difficult and highly flawed. Many of them involve blocking certain devices from calling 911, which carries the risk of preventing a legitimate call for help. But they indicate areas where further inquiry – and collaboration between researchers, telecommunications companies, regulators and emergency personnel – could yield useful breakthroughs.

For example, cellphones might be required to run a monitoring software to block themselves from making fraudulent 911 calls. Or 911 systems could examine identifying information of incoming calls and prioritize those made from phones that are not trying to mask themselves. We must find ways to safeguard the 911 system, which protects us all.

Read more on the SFGate website >>

This article was originally published on The Conversation >>